We are pleased to announce that the OWASP Uruguay chapter will host the OWASP AppSec Latam 2012 conference in Montevideo, Uruguay at ANTEL National Telco Company. The event will be composed of 2 days of training (November 18-19), followed by 2 days of conference talks (November 20-21).

The Global AppSec Latin America 2012 Conference will be a reunion of Information Security latin american leaders, and will present cutting-edge ideas. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 200-250 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

The training will be held November 18th and 19th, 2012 (Sunday and Monday) at the ANTEL National Telco Company located in downtown Montevideo (conference talks are November 20th and 21st). This year we are offering 3 different courses:

Java Secure Coding

Course Overview

Training Audience: Technical
Required Skill Level: Intermediate

In this class we discuss secure coding techniques using Java. It is a very hands-on course with many labs. Everything is done from a developers perspective, NOT a hackers perspective. We make an effort to show what to do, and avoid the usual security paradigm of only discussing what not to do.

Advanced Vulnerability Research and Exploit Development

Gianni Gnesa, BCS, MSCS, CEH, OSCP, OSEE, Network+, Linux+, is a security researcher and professional trainer at Ptrace Security, a Swiss-based company that offers specialized IT security services to customers worldwide. With several years of experience in vulnerability research, exploit development, and penetration testing, Gianni is an expert in exposing the vulnerabilities of complex commercial products and modern network infrastructures. In his spare time, Gianni conducts independent security research on kernel exploitation and rootkit detection.

Course Abstract

The Advanced Vulnerability Research and Exploit Development course offers security professionals an opportunity to test and develop their skills like never before. During this class, attendees will be provided with the latest knowledge and tools to discover vulnerabilities and then develop exploits for a wide range of software including complex Windows applications, interpreted languages, and critical Microsoft services.

In the first half of the course, attendees will use reverse engineering and fuzzing to attack a wide variety of applications (many of which are critical to a successful penetration test) and then use the latest exploitation techniques available today to develop a reliable exploit for Windows 7 / Windows Server 2008.

In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, and how to use precise heap spraying.

By the end of this course, attendees will have a clear idea of what it’s necessary to find and exploit a vulnerability on a modern Windows machine.

This course is well-suited to penetration testers, exploit developers, malware analysts, and security professionals who are wishing to dive into vulnerability analysis and exploit writing.

More details about this class including a detailed outline, are available HERE

Hands on Web Application Testing: Assessing Web Apps the OWASP way

Instructor: Matt Tesauro

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Course Abstract

The goal of the training session is to teach students how to identify, test, and exploit web application vulnerabilities. The creator and project lead of the OWASP Live CD, now recoined OWASP WTE, will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complementary DVD containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and Ajax vulnerabilities. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

More details about this class including a detailed outline, are available HERE

Jerry Hoff

"Building Security Into Frameworks: Who is doing it right": In this talk, Jerry Hoff, VP of the Static Code Analysis Division at WhiteHat Security, will discuss the importance of security controls in mobile and web frameworks. The talk features a tour through a spectrum of languages and frameworks. A tip of the hat will be given to frameworks and security controls that demonstrably mitigate vulnerabilities, resulting in more secure code. A wag of the finger will be given to frameworks that either lack essential security controls, or implement them improperly.

Many of the OWASP Top 10 vulnerabilities and their corresponding security controls will be discussed. Participants will walk away with a better understanding of the security libraries available across a wide array of popular web technologies.

Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. Prior to joining WhiteHat, he was a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University's CAIT program, and the microcomputer program at University of Missouri in St. Louis. Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.

Pravir Chandra

Everything you know about Injection Attack is wrong: This casual talk will take a look at several mundane vulnerabilities that we all know about and ask a few deeper questions. What are the underlying mechanisms? Does our advice on preventing them *actually* work? Is there a better way when you think of software design patterns? By the end, we’ll challenge the audience to think past the surface of these code vulnerabilities and hopefully learn a little about how the right abstraction model can save tons of security headaches.

Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he lead software security assurance programs for Fortune 500 clients in a variety of verticals. He is responsible for standing up the most comprehensive and measurably effective programs in existence today. As a thought leader in the security field for over 10 years, Pravir has written many articles, whitepapers, and books and is routinely invited to speak at businesses and conferences world-wide.

Hernán M. Racciatti

Hernan M. Racciatti has 20 years of experience in Information Technology, having dedicated most of his careers in areas related to Information Security.

Currently serves as Director of Security at SIClabs, advising private companies and public agencies, leading Penetration Test, Security Application Assessment, Code Source Review, pursuing researches about information security, teaching and offering seminars and technical lectures at conferences of national and international level related to his field.

Among his contributions to the community, should be noted: active participation as a collaborator in some ISECOM´s project (OSSTMM-Open Source Security Testing Methodology Manual and Hacker High School), OISSG (ISSAF – Information Systems Security Assessment Framework), the development of small tools designed to secure information systems and several papers, articles and technical documents written for digital and print publications whit national and international circulation.

During last year, he found and reported vulnerability in major commercial products.

These are the selected presentations and are subject to confirmation from presenters.

Name & Title

Bio

Assessing Application Security Risk, Alex Bauert

Application Security Manager, Cargill. 20+ years in IT; localized software, sysadm, and app sec among some other roles. I have worked with application security at a software company, a large bank and currently Cargill. I am also active in the Minnesota OWASP chapter. In my free time I am a youth soccer coach.

Flavio is the VP of Engineering for Professional Products at Core Securiry. His primary focus is on building and evolving CORE Impact Pro as well as introducing new professional products into the marketplace.

He has over 10 years of experience in penetration testing and IT security, having led onsite and remote penetration testing engagements for several clients worldwide. Prior to joining the Engineering team, he led the CORE Security Consulting Services practice where he coordinated leading-edge penetration testing services for multiple global organizations. Prior to joining CORE, he worked at Deloitte leading one of the global penetration testing centers located in Argentina. He also taught at ITBA University in Argentina until 2004.

Dario Gomez was formed in 2010 in computer sciences at the University ORT Uruguay. Currently he's working for 4 years as a software developer at Internet Address Registry for Latin America and the Caribbean - LACNIC, where one of main responsibilities is the development of the resources certification system of organization (http://lacnic.net/en/rpki/).

Previously, he worked at the help desk and maintenance of servers and networks in the British Hospital of Uruguay.

With more than 10 years of experience in IT & Security strategy, Business Continuity Management,ISO 27001, CobIT and ITIL he has developed Security Projects based in Dubai, Chicago, Montevideo and Buenos Aires.

Information Security Manager in global companies and currently working at McAfee Argentina in a presales role. CISSP, ITIL & MCP certified.

Graduated in Computer Science at Universidade Estadual do Ceará (2001), with a graduation study period in Informatique de Gestion at Université du Québec à Chicoutimi (1999). He has a Master's in Computer Science from Universidade de Fortaleza (2007). He has experience in Information Security and Software Engineering, acting on the following subjects: information and software security, business continuity, security engineering, and software life cycle process improvement. He is CISM and CSSLP certified.

Understanding HTML5 security, Andres Riancho

Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.

In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like PHDays (Moscow), SecTor (Toronto), OWASP (Poland), CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

Andrés founded Bonsai in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.

Don't try to block out the sun with your fingers!: Information harvesting with Test-driven development tools and understanding how to avoid it, Nicolas Rodriguez

I'm a Senior Security Consultant at Core Security (http://www.coresecurity.com). I have 22 years of programming experience (C/C++, Assembler, Pascal, Clipper, Visual Basic, C#, Visual Basic.NET, Lisp, Python, Ruby and Perl among others), 10 years as a Network Administrator (Linux, Unix and Windows physical and virtual servers) and for the last 6 years I've been working as a Security Consultant doing mostly Network and Applications Penetration Tests, Source Code Audits and Client-Side Penetration Tests.

Professor Department of Computer Science & Engineering KL University Andhra Pradesh, India. Working in the Academic field for the past 17 years. Interested to contribute in the area of security metrics and cryptography. Developed a security metric program based on Attack Patterns.

Breno is a computer scientist with over 9 years experience in Information Security, experienced with a wide range of software development techniques and languages, security systems and network technologies. Breno brings a research history publishing articles in academic conferences like IEEE WIFS, IEEE ICMLC, IEEE INDIN, World Academy of Science, as well industry related conferences like OWASP AppSec Latam, OWASP AppSec Research and Ph-Neutral, involving areas as algorithm design for network anomaly detection mechanisms in high-speed networks, application security and malicious code detection. He was a member of Suricata IPS developer team (next-generation IPS funded by US-Homeland Security). Breno is currently a Security Researcher at Trustwave SpiderLabs Research team and maintainer of Apache ModSecurity.

Using PASTA as a core ingredient to web application threat modeling, Tony UcedaVelez

Tony UcedaVelez, CRISC, CISM, CISA, GIAC has more than 14 years of hands-on security and technology experience across government, healthcare, financial, education, and utility sectors. Tony founded VerSprite with the premise of redefining security services to a point that it reflects a hybrid and balanced approach in understanding client needs. Tony has consulted for numerous Fortune 500 organizations as well as large government entities within the areas of application security, security risk management, network security, and governance. Before VerSprite, Tony was the Sr. Director of Policy and Risk Management for a major Fortune 50 information service bureau. Tony's background in IT operations and software development, coupled with security operations, allows him to lead VerSprite with the mission of providing tailored, strategic solutions to its client base. Tony is a frequent speaker/ writer at ISACA, OWASP, and other information security forums around the world and is currently managing the Atlanta OWASP Chapter. He is also currently co-writing a book on application threat modeling via Wiley Life Sciences and has co-developed a patent pending methodology for risk based threat models. Tony is a graduate from Cornell University.

How dynamic have been static checking?, Felipe Zipitria

Felipe Zipitria has a Master Degree in Computer Science from PEDECIBA Informática and his thesis was in the Computer Security field. He is working as a Senior System Administrator and teaching since 1998 at the Computer Science department of the Faculty of Engineering - University of the Republic. From 2006 he joined the Computer Security Group, and has been doing research and teaching Computer Security foundations for pre-graduate students, and Application Security for professionals and as a post-graduate course. He has been using OWASP tools and documentation for its courses since the first course for pre-graduates. As a Senior System Administrator he has specialized in Web Security, using Web Application Firewalls, Apache Web Server and Apache Tomcat, Virtualization, and Clustering. He has made Security Analysis for local enterprises, and several Penetration Tests and Source Code Analysis.

Venue Sponsor

Accommodation

We've been able to arrange for accommodation with the Four Points Sheraton Hotel for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $169/USD per night and includes breakfast.

Note: Conference events will primarily be held at the Antel National Telco Company. We will have a few events held at this hotel and are arranging for transportation between the Sheraton and Antel building.

We plan to start with a 1.5 hour session including an overview of the chapter handbook. This session will be video taped and available for chapter leaders to use in their local chapters (or to be viewed by those unable to attend). The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions. If you are interested in participating in either of these workshops, please register for the conference and select this workshop, please register for the Conference and select the optional session "chapter leaders workshop" as part of the registration process. Remember that conference attendance is free for current chapter and project leaders.

Sponsorship to Attend the Chapters Workshop

If you need financial assistance to attend the Chapter Leader Workshops please submit a request to via the Contact Us Form http://owasp4.owasp.org/contactus.html by the application deadline for each of the events.

Priority of sponsorships will be given to those not covered by a sponsorship to attend a previous workshop. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

When you apply for funding, please let us know *why we should sponsor you*. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application.

If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).

2012 AppSec Latam Conference Volunteer Team

OWASP Staff Support

Training Instructor Agreement

By submitting your training proposal through our CFT, you are consenting to stay within the guidelines of the Training Instructor Agreement. We will ask you to sign and complete the Agreement and email it back to us if your talk is selected and you accept.